Overview

Revive Care Recovery, Inc. ("Revive," "we," "us," or "our") operates a business-to-business software-as-a-service platform that helps healthcare clinics identify patients who may benefit from follow-up care and coordinate care-recovery communications on the clinic's behalf. This Privacy Policy explains how we collect, use, disclose, and protect information in connection with the Revive platform and our websites at revivehs.co, app.revivehs.co, and intelligence.revivehs.co (collectively, the "Services").

This Privacy Policy applies to three distinct groups:

• Website visitors — individuals who browse our marketing websites at revivehs.co or intelligence.revivehs.co
• Clinic users — authorized personnel of healthcare clinics and healthcare facilities who access and use the Revive platform at app.revivehs.co
• Patients — individuals who receive messages or other communications facilitated by Revive on behalf of a participating clinic

Revive plays different roles with respect to each group, which affects your privacy rights and how those rights are exercised. This is explained in detail in Section 1.

1. Our Roles Under Applicable Law

1.1 Website Visitors

For individuals who visit our marketing websites at revivehs.co or intelligence.revivehs.co, Revive is the data controller of any personal information you choose to submit (e.g., through a contact form, demo request, or email to us).

1.2 Clinic Users

For authorized personnel of healthcare clinics who access the Revive platform to manage their clinic's patient outreach, Revive is the data controller of account-level information (names, email addresses, job titles, login credentials, and billing information) that the clinic user provides in order to administer the account.

1.3 Patients

For patient data (including Protected Health Information, or "PHI," as defined under HIPAA) that flows through the Revive platform, Revive acts solely as a Business Associate of the clinic under the Health Insurance Portability and Accountability Act of 1996 ("HIPAA"), as amended by the HITECH Act. The clinic is the Covered Entity and controls how patient data may be used and disclosed. Revive's handling of PHI is governed by a Business Associate Agreement between Revive and the clinic.

This Privacy Policy does not limit, expand, or alter the terms of any Business Associate Agreement between Revive and a clinic. Where this Privacy Policy conflicts with an executed BAA with respect to patient PHI, the BAA governs.

2. Information We Collect

2.1 Information You Provide to Us

We collect information that you or your clinic voluntarily provides to us, including:

• Account and identity information — name, job title, email address, phone number, username, password, and professional role when clinic personnel create a Revive account
• Clinic information — clinic legal name, taxpayer identification number, business address, practice specialty, and similar practice-level data
• Billing information — billing address, credit card or ACH account details submitted to our payment processor (see Section 4)
• Patient information (uploaded by clinics) — patient name, contact information, appointment history, procedure history, and clinical data necessary for the Services to function. This data is processed by Revive only as the clinic's Business Associate under HIPAA and in accordance with the clinic's BAA
• Communications — any information you submit through contact forms, support requests, emails, or other communications with us

2.2 Information Collected Automatically

When you visit our websites or use our platform, we automatically collect limited technical information, including IP address, browser type and version, operating system, referring URL, pages viewed, timestamps of usage, and device identifiers. This information is used for security, operational, and aggregate analytics purposes.

Revive does not currently use third-party analytics tools, advertising trackers, or non-essential cookies on revivehs.co or intelligence.revivehs.co. We use only essential session cookies required for platform security and functionality on app.revivehs.co.

2.3 Information Collected from Other Sources

For business-to-business outreach purposes, we may collect limited professional contact information about clinic decision-makers from public databases, professional directories, and business data providers (e.g., practice name, publicly-listed practice phone number, publicly-listed practice email address). We do not collect sensitive personal information from third-party sources.

3. Sensitive Information and Protected Health Information

Revive processes Protected Health Information (PHI) on behalf of participating clinics solely in Revive's capacity as the clinic's Business Associate under HIPAA. PHI is handled in accordance with the applicable Business Associate Agreement and the requirements of 45 C.F.R. Parts 160 and 164.

PHI that flows through the platform is used only for:

• Providing the Services to the clinic
• Communicating with patients on the clinic's behalf, at the clinic's direction, and in accordance with the clinic's HIPAA-compliant patient-consent framework
• Treatment, payment, and health care operations, as those terms are defined under HIPAA
• Revive's proper management and administration of its business and to carry out Revive's legal responsibilities, as permitted under 45 C.F.R. § 164.504(e)(4)
• Creating de-identified data in accordance with Section 8 of this Privacy Policy

Revive does not use PHI to train machine-learning or artificial-intelligence models. See Section 5 for more information about our AI practices.

4. How We Use Information

We use the information we collect to:

• Provide, operate, maintain, and improve the Services
• Authenticate clinic users and administer accounts
• Facilitate care-recovery messaging and outreach at the direction of the clinic
• Process subscription billing and payments
• Communicate with clinic users about service updates, changes, security matters, and support requests
• Respond to inquiries from prospective clinic customers
• Protect the security, integrity, and availability of the Services (including fraud detection, abuse prevention, and security monitoring)
• Comply with legal obligations, respond to lawful requests from authorities, and enforce our contractual rights
• Create de-identified data as described in Section 8

5. Artificial Intelligence

The Services use artificial intelligence ("AI") to support care-related workflows, including message generation, message processing, and conversational communication with patients. AI processing is performed through Amazon Bedrock, a HIPAA-eligible AI service provided by Amazon Web Services. The underlying large language models accessed through Bedrock are provided by Anthropic.

Our AI practices:

• No training on PHI — Revive does not use PHI to train, fine-tune, or improve any AI models. Model providers accessed through Amazon Bedrock do not receive data for training purposes
• Inference only — PHI is used only for real-time inference (e.g., generating a personalized reply to a patient) and is not retained by the AI provider beyond the immediate transaction, per the terms of our AWS BAA
• HIPAA infrastructure — AI inference occurs inside AWS's HIPAA-compliant infrastructure, covered by an executed Business Associate Agreement between Revive and AWS
• Quality safeguards — AI-generated outputs are constrained to defined care-recovery contexts and reviewed by Revive's internal quality assurance processes before deployment

6. Subprocessors and When We Share Information

6.1 Subprocessors

We use the following subprocessors to operate the Services. Each subprocessor is engaged under a written agreement that obligates them to protect personal information consistent with this Privacy Policy and applicable law.

We will update this list when we add, remove, or change material subprocessors. Material changes will be communicated to clinic customers in advance of taking effect.

6.2 Other Sharing

Beyond subprocessors, we may share information in the following limited circumstances:

• With participating clinics — patient data is shared only with the clinic that uploaded or authorized that data, consistent with the applicable BAA
• Business transfers — in connection with a merger, acquisition, financing, reorganization, or sale of all or substantially all of our assets, personal information may transfer to the successor entity, subject to the protections of this Privacy Policy and any applicable BAA
• Legal compliance — we may disclose information in response to lawful subpoenas, court orders, or government requests, subject to applicable law and our obligations under any BAA
• To protect rights and safety — we may disclose information where we have a good-faith belief it is necessary to prevent harm, fraud, or illegal activity

Revive does not sell personal information or PHI. Revive does not share SMS opt-in data, patient consent data, or patient phone numbers with third parties for marketing or promotional purposes. Revive does not share personal information with data brokers.

7. Scan Tool

Revive offers a pre-sale scan tool available at revivehs.co that allows prospective clinic customers to upload a patient data file to receive a preliminary assessment of how many patients may benefit from care recovery. The scan tool is architected so that PHI never leaves the prospect's browser and is never transmitted to Revive's servers.

Consistent with the Scan Tool's privacy-first architecture:

• Protected Health Information never leaves the prospect's browser and is never transmitted to or stored by Revive
• The original patient data file is never uploaded to Revive and exists only within the memory of the browser session
• Only de-identified information created using industry-standard one-way cryptographic methods is transmitted to Revive, and only to the extent necessary to generate the scan results

Because the Scan Tool does not disclose PHI to Revive, no Business Associate Agreement is required between Revive and a scan-tool user under 45 C.F.R. § 164.502(e)(1). Revive's technical architecture for the Scan Tool is available for review under a separately executed Mutual Nondisclosure Agreement by prospective clinic compliance teams upon request. See our Scan Tool Terms and Privacy for additional details.

8. De-identified Data

Revive may create de-identified data from PHI in accordance with the de-identification standard set forth in 45 C.F.R. § 164.514(b), including the Safe Harbor method and the Expert Determination method as applicable. Once data has been de-identified in accordance with that standard, the resulting data is not PHI.

Revive uses de-identified data for:

• Improving the performance and accuracy of the Services
• Developing new features and analytical capabilities
• Benchmarking and aggregate industry research
• Publishing aggregate industry insights (e.g., statistics about care-recovery rates across specialties)

Revive does not attempt to re-identify de-identified data. Revive owns all right, title, and interest in de-identified data it creates.

9. SMS Messaging and TCPA Compliance

The Services include facilitating SMS (text message) communications from participating clinics to their patients. Revive operates as an Independent Software Vendor ("ISV") on the Telnyx messaging network, delivering messages on behalf of the clinic.

9.1 Clinic as Sender

For purposes of the Telephone Consumer Protection Act ("TCPA"), 10DLC carrier registration, and applicable state messaging laws, the clinic is the "sender" of all SMS messages facilitated through the Services. The clinic is the 10DLC brand holder, the clinic collects patient consent, the clinic approves every message template before deployment, and the clinic's name appears in each message.

9.2 Patient Consent

Patient consent to receive SMS messages is collected by the clinic at the point of patient intake, through the clinic's HIPAA-compliant patient-consent framework. Revive does not collect patient consent directly; Revive relies on the clinic's representation that valid consent has been obtained for each patient whose data is uploaded to the Services.

9.3 Opt-Out and Support

Patients may opt out of receiving SMS messages at any time by replying STOP to any message. Opt-out handling is automated at the platform level and applies across all future messaging. Patients may reply HELP for assistance or contact the clinic directly. Standard message and data rates may apply.

9.4 Opt-In Data Not Sold or Shared

Patient SMS opt-in data and consent records are not sold, rented, or shared with any third party for marketing or promotional purposes. Sharing of opt-in data with subcontractors supporting the Services (such as Telnyx for message delivery) is permitted only to the extent necessary to provide the Services.

10. Data Retention

We retain personal information only as long as necessary for the purposes described in this Privacy Policy, or as otherwise required by law:

• Website visitor data — retained for up to 12 months after last interaction
• Clinic account data — retained for the duration of the clinic's subscription plus a 30-day data export period following termination, after which data is deleted in accordance with the clinic's BAA and the terms of the clinic's subscription agreement
• Patient data — retained in accordance with the applicable Business Associate Agreement and at the direction of the clinic, not to exceed 36 months past termination of the clinic's account unless required by law or by the clinic's record-retention obligations
• De-identified data — retained indefinitely
• Billing and transactional records — retained for the period required by applicable tax and accounting laws (typically 7 years)

11. International Data Transfers

The Services are hosted on infrastructure located in the United States. Revive does not currently offer the Services to clinics or patients located outside the United States. If you access the Services from outside the United States, your information will be transferred to, stored in, and processed in the United States. By using the Services, you consent to such transfer and processing.

12. Security

We implement administrative, physical, and technical safeguards designed to protect personal information and PHI against unauthorized access, use, disclosure, alteration, or destruction, consistent with the HIPAA Security Rule (45 C.F.R. Part 164, Subpart C) and industry best practices. These safeguards include:

• Encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256)
• Role-based access controls, with access granted on a need-to-know basis
• Audit logging of access to PHI
• Multi-factor authentication for administrative access
• Routine security monitoring, vulnerability management, and incident response procedures
• Vendor management and subprocessor oversight

Despite these safeguards, no internet transmission or storage system can be guaranteed to be 100% secure. Users should access the Services only from secure environments.

13. Minors

The Services are intended for use by healthcare clinics and their authorized personnel, all of whom must be at least 18 years old. Revive does not knowingly collect personal information directly from individuals under 18 years of age through its websites or platform.

Patient data uploaded by clinics may include information about patients under 18 years of age, in which case that information is handled exclusively under the clinic's BAA with Revive and subject to the clinic's HIPAA policies and patient-consent framework. Revive does not make independent determinations about patient minors' data; all such determinations are the responsibility of the clinic.

14. Your Privacy Rights

14.1 Website Visitors

If you have submitted information to us as a website visitor (e.g., through a contact form or demo request), you may request access, correction, or deletion of that information by emailing privacy@revivehs.co.

14.2 Clinic Users

Clinic users may review, update, or delete their account information at any time through the platform's account settings. Clinic administrators may also manage user access within their clinic's account.

14.3 Patients

Patients whose data is processed through Revive on behalf of a clinic should direct all privacy rights requests (including HIPAA rights of access, amendment, and accounting of disclosures) to the clinic that uploaded their data. The clinic is the Covered Entity under HIPAA and is responsible for responding to such requests. If Revive receives a request directly from a patient, we will route the request to the applicable clinic within ten business days.

14.4 Withdrawing Consent

Where we rely on your consent to process personal information, you may withdraw that consent at any time by contacting privacy@revivehs.co. Withdrawal of consent does not affect the lawfulness of processing prior to withdrawal.

15. US State Privacy Rights

If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have additional privacy rights under applicable state law. These rights may include:

• The right to know whether we process personal information about you and to access that information
• The right to correct inaccurate personal information
• The right to request deletion of your personal information
• The right to obtain a portable copy of your personal information
• The right to opt out of the sale or sharing of personal information for targeted advertising (Revive does not sell or share personal information for such purposes)
• The right to limit the use or disclosure of sensitive personal information
• The right to non-discrimination for exercising privacy rights
• The right, in certain states, to appeal a denial of a privacy rights request

These rights may be limited in some circumstances by applicable law. To exercise any of these rights, email privacy@revivehs.co. We will verify your identity before processing your request, which may require you to provide additional information.

Patients whose data is processed by Revive as a Business Associate should direct state privacy rights requests to the clinic that holds the patient relationship. State health-information privacy laws typically place these obligations on the Covered Entity (the clinic), not the Business Associate.

15.1 California Shine the Light

California Civil Code Section 1798.83 permits California residents to request information about categories of personal information Revive has disclosed to third parties for their direct marketing purposes in the preceding calendar year. Revive does not disclose personal information to third parties for their direct marketing purposes.

16. Do-Not-Track Signals

Some web browsers transmit "Do Not Track" (DNT) signals. Because there is no uniform industry standard for responding to DNT signals, we do not currently respond to them. If a uniform standard is adopted, we will update this Privacy Policy accordingly.

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. Material changes will be communicated to active clinic customers by email and posted to revivehs.co/privacy with an updated effective date. Your continued use of the Services after a material update constitutes acceptance of the revised Privacy Policy.

18. Contact Us

If you have questions, comments, or concerns about this Privacy Policy or our privacy practices, you may contact us at: